I have three types of URLs to be protected:
UI - /ui/**
RESTful Web Service - /ws/rest/**
SOAP Web Service - /ws/soap/**
For UI URLs, if a user is not authenticated, I want it to be redirected to login page automatically, if the URL is not authorized to access, it should show a friendly page instead of the default 403 error page.
It's quite simple, just specify a "login-page" and "access-denied-page" as below:
Now, the problem is that for the RESTful and SOAP web service, it behaves differently. For an unauthenticated user, a 401 error page should be returned to the client instead of redirecting to a login page, for unauthorized URLs 403 error code should be returned instead of a user friendly "access-denied-page". How can I do that?
<security:http auto-config='true' access-denied-page="/ui/accessDenied.jsp">
<security:intercept-url pattern="/ui/test.jsp" access="ROLE_ROLE" />
<security:intercept-url pattern="/ws/rest/*" access="ROLE_ADMIN" />
<security:intercept-url pattern="/ws/soap/*" access="ROLE_ADMIN" />
I am using Spring Security 2.0 with name space configuration.